In recent years, it has become increasingly difficult to detect malicious activity carried on internal networks. One type of threat that has become more of an issue in recent times is the “insider” threat. This type of threat pertains to the situation when an insider (such as a company employee or contractor) performs malicious activities from inside the company firewall. This is in contrast to many types of other threats that involve attacks from external hosts originating from outside the company network. Given the extreme levels of damage that may result from malicious activities of an insider, identification of insider threat has become an important goal in the context of network security for many organizations.
However, it is very difficult to effectively detect the presence of an insider threat. By definition, perimeter solutions (firewalls or Intrusion Prevention Systems) are not deployed in a manner that allows them to detect human-driven malicious behaviors which occurs inside the network—such systems are typically oriented to the detection of threats originating from the outside of the network.
Furthermore, most IT organizations grant hosts inside their networks a very broad set of rights. The definition and detection of anomalous and ultimately malicious behavior is thus much harder. In addition, the volume of traffic moving through the inside of modern networks is substantially larger than even in the recent past, making it more difficult to assess whether any particular portion of the data conveyed is malicious, harmful, or corresponds to a security breach or threat.
A large array of sensors installed on individual hosts would be able to monitor and flag malicious behavior. However, such solutions are invasive, costly and difficult to maintain. Additionally, these solutions often operate by attempting to detect a set of known scenarios by the use of pre-programmed rules or heuristics. Therefore, one problem with this approach is that it is impossible to always know ahead of time the specific characteristics of every threat that may be carried out, and hence such systems are always playing “catch up” to the real-world threats that may actually take place.
Therefore, there is a need for an improved approach to implement insider threat detections.